On June 7th, the OCC added bulletin 29 to third-party relationships to clarify the way lenders should interact with third party vendors, to us, that means how lenders deal title and closing providers.
Get the entire OCC bulletin here
As a part of the lengthy bulletin, it stated the lender is responsible for ongoing monitoring.
Ongoing monitoring for the duration of the third-party relationship is an essential component of the bank’s risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities. Senior management should periodically assess existing third-party relationships to determine whether the nature of the activity performed now constitutes a critical activity.
After entering into a contract with a third party, bank management should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third party commensurate with the level of risk and complexity of the relationship. Regular on site visits may be useful to understand fully the third party’s operations and ongoing ability to meet contract requirements. Management should ensure that bank employees that directly manage third-party relationships monitor the third party’s activities and performance. A bank should pay particular attention to the quality and sustainability of the third party’s controls, and its ability to meet service-level agreements, performance metrics and other contractual terms, and to comply with legal and regulatory requirements.
The OCC expects the bank’s ongoing monitoring of third-party relationships to cover the due diligence activities discussed earlier. Because both the level and types of risks may change over the lifetime of third-party relationships, a bank should ensure that its ongoing monitoring adapts accordingly. This monitoring may result in changes to the frequency and types of required reports from the third party, including service-level agreement performance reports, audit reports, and control testing results. In addition to ongoing review of third-party reports, some key areas of consideration for ongoing monitoring may include assessing changes to the third party’s
• business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) that may pose conflicting interests and impact its ability to meet contractual obligations and service-level agreements.
• compliance with legal and regulatory requirements.
• financial condition.
• insurance coverage.
• key personnel and ability to retain essential knowledge in support of the activities.
• ability to effectively manage risk by identifying and addressing issues before they are cited in audit reports.
• process for adjusting policies, procedures, and controls in response to changing threats and new vulnerabilities and material breaches or other serious incidents.
• information technology used or the management of information systems.
• ability to respond to and recover from service disruptions or degradations and meet business resilience expectations.
• reliance on, exposure to, or performance of subcontractors; location of subcontractors; and the ongoing monitoring and control testing of subcontractors.
• agreements with other entities that may pose a conflict of interest or introduce reputation, operational, or other risks to the bank.
• ability to maintain the confidentiality and integrity of the bank’s information and systems.
• volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk management problems.
• ability to appropriately remediate customer complaints.
Bank employees who directly manage third-party relationships should escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. Additionally, management should ensure that the bank’s controls to manage risks from third-party relationships are tested regularly, particularly where critical activities are involved. Based on the results of the ongoing monitoring and internal control testing, management should respond to issues when identified including escalating significant issues to the board.